[AUTO-CHERRYPICK] Patch fluent-bit for CVE-2024-50608 [HIGH] and CVE-2024-50609 [HIGH] - branch 3.0-dev (#12710)

Co-authored-by: kgodara912 <[email protected]>

Author: CBL-Mariner-Bot

SPECS/fluent-bit/CVE-2024-50608.patch

@@ -0,0 +1,59 @@
+From 76a68e4c23cbc0c0d8f4fd41577ae217d20aeee2 Mon Sep 17 00:00:00 2001
+From: Eduardo Silva <[email protected]>
+Date: Sun, 23 Feb 2025 21:25:00 -0600
+Subject: [PATCH 1/2] in_prometheus_remote_write: fix handling of
+ content-length (CVE-2024-50608)
+
+Upstream Patch Reference:
+https://github.com/fluent/fluent-bit/pull/9993
+
+Signed-off-by: Eduardo Silva <[email protected]>
+---
+ .../in_prometheus_remote_write/prom_rw_prot.c  | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/plugins/in_prometheus_remote_write/prom_rw_prot.c b/plugins/in_prometheus_remote_write/prom_rw_prot.c
+index d041c8f..8460c7f 100644
+--- a/plugins/in_prometheus_remote_write/prom_rw_prot.c
++++ b/plugins/in_prometheus_remote_write/prom_rw_prot.c
+@@ -345,6 +345,13 @@ int prom_rw_prot_handle(struct flb_prom_remote_write *ctx,
+         return -1;
+     }
+ 
++    if (request->data.data == NULL || request->data.len <= 0) {
++        flb_sds_destroy(tag);
++        mk_mem_free(uri);
++        send_response(ctx->ins, conn, 400, "error: no payload found\n");
++        return -1;
++    }
++
+     original_data = request->data.data;
+     original_data_size = request->data.len;
+ 
+@@ -466,13 +473,22 @@ int prom_rw_prot_handle_ng(struct flb_http_request *request,
+     /* HTTP/1.1 needs Host header */
+     if (request->protocol_version == HTTP_PROTOCOL_HTTP1 &&
+         request->host == NULL) {
+-
+         return -1;
+     }
+ 
+     if (request->method != HTTP_METHOD_POST) {
+         send_response_ng(response, 400, "error: invalid HTTP method\n");
++        return -1;
++    }
++
++    /* check content-length */
++    if (request->content_length <= 0) {
++        send_response_ng(response, 400, "error: invalid content-length\n");
++        return -1;
++    }
+ 
++    if (request->body == NULL) {
++        send_response_ng(response, 400, "error: invalid payload\n");
+         return -1;
+     }
+ 
+-- 
+2.48.1.431.g5a526e5e18
+

SPECS/fluent-bit/CVE-2024-50609.patch

@@ -0,0 +1,54 @@
+From ce99c23a61cea708c2d5093031bdade0a620595a Mon Sep 17 00:00:00 2001
+From: Eduardo Silva <[email protected]>
+Date: Sun, 23 Feb 2025 21:24:10 -0600
+Subject: [PATCH 2/2] in_opentelemetry: fix handling of content-length
+ (CVE-2024-50609)
+
+Upstream Patch Reference:
+https://github.com/fluent/fluent-bit/pull/9993
+
+Signed-off-by: Eduardo Silva <[email protected]>
+---
+ plugins/in_opentelemetry/opentelemetry_prot.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/plugins/in_opentelemetry/opentelemetry_prot.c b/plugins/in_opentelemetry/opentelemetry_prot.c
+index c1a45c4..2b40e09 100644
+--- a/plugins/in_opentelemetry/opentelemetry_prot.c
++++ b/plugins/in_opentelemetry/opentelemetry_prot.c
+@@ -1893,6 +1893,13 @@ int opentelemetry_prot_handle(struct flb_opentelemetry *ctx, struct http_conn *c
+     original_data = request->data.data;
+     original_data_size = request->data.len;
+ 
++    if (request->data.len <= 0) {
++        flb_sds_destroy(tag);
++        mk_mem_free(uri);
++        send_response(conn, 400, "error: no payload found\n");
++        return -1;
++    }
++
+     ret = opentelemetry_prot_uncompress(session, request,
+                                         &uncompressed_data,
+                                         &uncompressed_data_size);
+@@ -2462,6 +2469,18 @@ int opentelemetry_prot_handle_ng(struct flb_http_request *request,
+         return -1;
+     }
+ 
++    /* check content-length */
++    if (request->content_length <= 0) {
++        send_response_ng(response, 400, "error: invalid content-length\n");
++        return -1;
++    }
++
++    if (request->body == NULL) {
++        send_response_ng(response, 400, "error: invalid payload\n");
++        return -1;
++    }
++
++
+     if (strcmp(request->path, "/v1/metrics") == 0 ||
+         strcmp(request->path, "/opentelemetry.proto.collector.metric.v1.MetricService/Export") == 0 ||
+         strcmp(request->path, "/opentelemetry.proto.collector.metrics.v1.MetricsService/Export") == 0) {
+-- 
+2.48.1.431.g5a526e5e18
+

SPECS/fluent-bit/fluent-bit.spec

@@ -1,7 +1,7 @@
 Summary:        Fast and Lightweight Log processor and forwarder for Linux, BSD and OSX
 Name:           fluent-bit
 Version:        3.1.9
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -10,6 +10,8 @@ Source0:        https://github.com/fluent/%{name}/archive/refs/tags/v%{version}.
 Patch0:         CVE-2024-34250.patch
 Patch1:         CVE-2024-25431.patch
 Patch2:         CVE-2024-27532.patch
+Patch3:         CVE-2024-50608.patch
+Patch4:         CVE-2024-50609.patch
 BuildRequires:  bison
 BuildRequires:  cmake
 BuildRequires:  cyrus-sasl-devel
@@ -84,6 +86,9 @@ Development files for %{name}
 %{_libdir}/fluent-bit/*.so
 
 %changelog
+* Wed Feb 26 2025 Kshitiz Godara <[email protected]> - 3.1.9-3
+- Address CVE-2024-50608 and CVE-2024-50609
+
 * Tue Dec 10 2024 Sudipta Pandit <[email protected]> - 3.1.9-2
 - Backport fixes for CVE-2024-27532